Code Injection in protobuf.js - #VU126312
Published: April 16, 2026
protobuf.js
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in protobuf definition compilation when processing attacker-controlled protobuf definitions during object decoding. A remote user can inject arbitrary code into the "type" fields of protobuf definitions to execute arbitrary code.
Exploitation requires control over the protobuf definition files used by the application.